1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 06:55:02 -05:00
Commit Graph

10239 Commits

Author SHA1 Message Date
Matus Uzak
462037ad48
smb: fix incorrect path in request if connection reused
Follow-up to 09e401e01b.  If connection gets reused, then data member
will be copied, but not the proto member.  As a result, in smb_do(),
path has been set from the original proto.share data.

Closes #3388
2018-12-19 09:52:36 +01:00
Daniel Stenberg
f097669248
mbedtls: use VERIFYHOST
Previously, VERIFYPEER would enable/disable all checks.

Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380
2018-12-17 23:36:42 +01:00
Daniel Stenberg
d8a9de6203
pingpong: change default response timeout to 120 seconds
Previously it was 30 minutes
2018-12-17 12:33:18 +01:00
Daniel Stenberg
154a17b6ee
pingpong: ignore regular timeout in disconnect phase
The timeout set with CURLOPT_TIMEOUT is no longer used when
disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP,
POP3).

Reported-by: jasal82 on github

Fixes #3264
Closes #3374
2018-12-17 12:33:00 +01:00
Ayoub Boudhar
f464535bfd
http: Implement trailing headers for chunked transfers
This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION
options that allow a callback based approach to sending trailing headers
with chunked transfers.

The test server (sws) was updated to take into account the detection of the
end of transfer in the case of trailing headers presence.

Test 1591 checks that trailing headers can be sent using libcurl.

Closes #3350
2018-12-14 10:10:48 +01:00
Daniel Stenberg
4531b299cc
darwinssl: accept setting max-tls with default min-tls
Reported-by: Andrei Neculau
Fixes #3367
Closes #3373
2018-12-14 09:54:31 +01:00
Daniel Stenberg
4b4062aaeb
gopher: fix memory leak from 9026083ddb 2018-12-13 15:06:17 +01:00
Leonardo Taccari
9026083ddb
gopher: always include the entire gopher-path in request
After the migration to URL API all octets in the selector after the
first `?' were interpreted as query and accidentally discarded and not
passed to the server.

Add a gopherpath to always concatenate possible path and query URL
pieces.

Fixes #3369
Closes #3370
2018-12-13 10:22:25 +01:00
Leonardo Taccari
305d25ed8a
urlapi: distinguish possibly empty query
If just a `?' to indicate the query is passed always store a zero length
query instead of having a NULL query.

This permits to distinguish URL with trailing `?'.

Fixes #3369
Closes #3370
2018-12-13 10:21:33 +01:00
Daniel Gustafsson
7a09b52c98 cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13 09:57:58 +01:00
Daniel Gustafsson
d8607da1a6 urlapi: Fix port parsing of eol colon
A URL with a single colon without a portnumber should use the default
port, discarding the colon. Fix, add a testcase and also do little bit
of comment wordsmithing.

Closes #3365
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-12 11:48:04 +01:00
Daniel Stenberg
435402cfe3
Curl_follow: extract the Location: header field unvalidated
... when not actually following the redirect. Otherwise we return error
for this and an application can't extract the value.

Test 1518 added to verify.

Reported-by: Pavel Pavlov
Fixes #3340
Closes #3364
2018-12-12 07:58:47 +01:00
Daniel Stenberg
ecb2e194d4
multi: convert two timeout variables to timediff_t
The time_t type is unsigned on some systems and these variables are used
to hold return values from functions that return timediff_t
already. timediff_t is always a signed type.

Closes #3363
2018-12-11 15:43:20 +01:00
Daniel Gustafsson
e1be2ecba4 tests: add urlapi unittest
This adds a new unittest intended to cover the internal functions in
the urlapi code, starting with parse_port(). In order to avoid name
collisions in debug builds, parse_port() is renamed Curl_parse_port()
since it will be exported.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:24 +01:00
Daniel Gustafsson
63533cbde2 urlapi: fix portnumber parsing for ipv6 zone index
An IPv6 URL which contains a zone index includes a '%%25<zode id>'
string before the ending ']' bracket. The parsing logic wasn't set
up to cope with the zone index however, resulting in a malformed url
error being returned. Fix by breaking the parsing into two stages
to correctly handle the zone index.

Closes #3355
Closes #3319
Reported-by: tonystz on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:19 +01:00
Jay Satiro
552f0205e6
http: fix HTTP auth to include query in URI
- Include query in the path passed to generate HTTP auth.

Recent changes to use the URL API internally (46e1640, 7.62.0)
inadvertently broke authentication URIs by omitting the query.

Fixes https://github.com/curl/curl/issues/3353
Closes #3356
2018-12-11 13:28:20 +01:00
Michael Kaufmann
c8bf8cc1e4
http: don't set CURLINFO_CONDITION_UNMET for http status code 204
The http status code 204 (No Content) should not change the "condition
unmet" flag. Only the http status code 304 (Not Modified) should do
this.

Closes #359
2018-12-11 13:22:42 +01:00
Samuel Surtees
1b443a7c00
ldap: fix LDAP URL parsing regressions
- Match URL scheme with LDAP and LDAPS
- Retrieve attributes, scope and filter from URL query instead

Regression brought in 46e164069d (7.62.0)

Closes #3362
2018-12-11 13:20:12 +01:00
Stefan Kanthak
e1360a1c91
(lib)curl.rc: fixup for minor bugs
All resources defined in lib/libcurl.rc and curl.rc are language
neutral.

winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.

Replace the hard-coded constants in both *.rc files with #define'd
values.

Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
Closes #3348
2018-12-10 00:10:04 +01:00
Daniel Stenberg
1e9abfedfa
cookies: expire "Max-Age=0" immediately
Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352
2018-12-09 18:34:55 +01:00
Johannes Schindelin
d997aa0e96
Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
This is a companion patch to cbea2fd2c (NTLM: force the connection to
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
preemptively. However, with other (Negotiate) authentication it is not
clear to this developer whether there is a way to make it work with
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
error HTTP_1_1_REQUIRED.

Note: we will still keep the NTLM workaround, as it avoids an extra
round trip.

Daniel Stenberg helped a lot with this patch, in particular by
suggesting to introduce the Curl_h2_http_1_1_error() function.

Closes #3349

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-08 10:59:23 +01:00
Ben Greear
07e61abdac
openssl: fix unused variable compiler warning with old openssl
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html

Closes #3347
2018-12-07 17:03:17 +01:00
Johannes Schindelin
cbea2fd2c7
NTLM: force the connection to HTTP/1.1
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes https://github.com/curl/curl/issues/3341.
Closes #3345

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-07 13:03:21 +01:00
Johannes Schindelin
2456152069
curl_global_sslset(): id == -1 is not necessarily an error
It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes #3346
2018-12-07 11:38:22 +01:00
Daniel Stenberg
d506df860f
doh: fix memory leak in OOM situation
Reviewed-by: Daniel Gustafsson
Closes #3342
2018-12-06 09:52:38 +01:00
Daniel Stenberg
027d66e5f1
doh: make it work for h2-disabled builds too
Reported-by: dtmsecurity at github
Fixes #3325
Closes #3336
2018-12-05 23:44:26 +01:00
Gergely Nagy
08efa19e6a
openssl: do not use file BIOs if not requested
Moves the file handling BIO calls to the branch of the code where they
are actually used.

Closes #3339
2018-12-05 15:26:18 +01:00
Paul Howarth
8ad9e5915a
nss: Fix compatibility with nss versions 3.14 to 3.15 2018-12-05 15:24:32 +01:00
Paul Howarth
71a1442eb2
nss: Improve info message when falling back SSL protocol
Use descriptive text strings rather than decimal numbers.
2018-12-05 15:24:32 +01:00
Paul Howarth
6848ea585b
nss: Fall back to latest supported SSL version
NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261
2018-12-05 15:24:32 +01:00
Daniel Gustafsson
6381708970 checksrc: add COPYRIGHTYEAR check
Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-03 23:13:40 +01:00
Sevan Janiyan
b466560124 connect: fix building for recent versions of Minix
EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323
2018-11-29 02:05:23 -05:00
Daniel Gustafsson
fd1049554f doh: fix typo in infof call
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-26 11:40:26 +01:00
Daniel Stenberg
34fe0e1622
curl_easy_perform: fix timeout handling
curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308
2018-11-25 11:25:43 +01:00
Daniel Stenberg
a52e46f390
cookies: create the cookiejar even if no cookies to save
Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300
2018-11-23 14:50:51 +01:00
Daniel Stenberg
2e49610853
checksrc: ban snprintf use, add command line flag to override warns 2018-11-23 08:26:51 +01:00
Daniel Stenberg
dcd6f81025
snprintf: renamed and we now only use msnprintf()
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
2018-11-23 08:26:51 +01:00
Tobias Hintze
5b4cce2e36
host names: allow trailing dot in name resolve, then strip it
Delays stripping of trailing dots to after resolving the hostname.

Fixes #3022
Closes #3222
2018-11-22 13:40:51 +01:00
Michael Kaufmann
549310e907 openssl: support session resume with TLS 1.3
Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.

Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.

The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.

A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.

This approach also works for old SSL/TLS versions and old OpenSSL versions.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Fixes #3202
Closes #3271
2018-11-21 11:18:25 +01:00
Michael Kaufmann
30a65381f9 ssl: fix compilation with OpenSSL 0.9.7
- ENGINE_cleanup() was used without including "openssl/engine.h"
- enable engine support for OpenSSL 0.9.7

Closes #3266
2018-11-21 11:14:26 +01:00
Daniel Stenberg
59311bd3df
openssl: disable TLS renegotiation with BoringSSL
Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.

This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.

Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
2018-11-21 08:30:18 +01:00
Romain Fliedel
6765e6d9e6
ares: remove fd from multi fd set when ares is about to close the fd
When using c-ares for asyn dns, the dns socket fd was silently closed
by c-ares without curl being aware. curl would then 'realize' the fd
has been removed at next call of Curl_resolver_getsock, and only then
notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with
CURL_POLL_REMOVE. At this point the fd is already closed.

By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this
patch allows curl to be notified that the fd is not longer needed
for neither for write nor read. At this point by calling
Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE
before the fd is actually closed by ares.

In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore
since it does not allow passing a different sock_state_cb_data

Closes #3238
2018-11-20 19:58:45 +01:00
pkubaj
7c96f6a14b ntlm: Remove redundant ifdef USE_OPENSSL
lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20 14:59:12 +01:00
Han Han
78ff4e0de3
ssl: replace all internal uses of CURLE_SSL_CACERT
Closes #3291
2018-11-20 14:57:00 +01:00
Daniel Gustafsson
1cccf2f945 openssl: Remove SSLEAY leftovers
Commit 709cf76f6b deprecated USE_SSLEAY, as curl since long isn't
compatible with the SSLeay library. This removes the few leftovers that
were omitted in the less frequently used platform targets.

Closes #3270
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-17 21:36:10 +01:00
Elia Tufarolo
07ebaf8378
http_negotiate: do not close connection until negotiation is completed
Fix HTTP POST using CURLAUTH_NEGOTIATE.

Closes #3275
2018-11-16 23:38:47 +01:00
Daniel Stenberg
6d0e487f9f
pop3: only do APOP with a valid timestamp
Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279
2018-11-16 23:36:53 +01:00
Peter Wu
27e4ac24cd openssl: do not log excess "TLS app data" lines for TLS 1.3
The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:

    * TLSv1.3 (IN), TLS app data, [no content] (0):

(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)

Closes https://github.com/curl/curl/pull/3281
2018-11-16 16:03:31 -05:00
Kamil Dudka
3d988c5563
nss: remove version selecting dead code
Closes #3262
2018-11-13 23:55:22 +01:00
Daniel Stenberg
0c448093dd
nss: set default max-tls to 1.3/1.2
Fixes #3261
2018-11-13 23:54:13 +01:00
Daniel Stenberg
42fd235040
nss: fix fallthrough comment to fix picky compiler warning 2018-11-12 15:23:17 +01:00
Tim Rühsen
c05d77ee7d
ftp: avoid two unsigned int overflows in FTP listing parser
Curl_ftp_parselist: avoid unsigned integer overflows

The overflow has no real world impact, just avoid it for "best
practice".

Closes #3225
2018-11-09 23:08:46 +01:00
Jérémy Rocher
27cb384679
openssl: support BoringSSL TLS renegotiation
As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259
2018-11-09 22:32:47 +01:00
Jim Fuller
5c4fe0d826
setopt: add CURLOPT_CURLU
Allows an application to pass in a pre-parsed URL via a URL handle.

Closes #3227
2018-11-09 15:47:28 +01:00
Daniel Gustafsson
8a49b291cb winssl: be consistent in Schannel capitalization
The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07 10:11:13 +01:00
Daniel Stenberg
9aa8ff2895
urlapi: only skip encoding the first '=' with APPENDQUERY set
APPENDQUERY + URLENCODE would skip all equals signs but now it only skip
encoding the first to better allow "name=content" for any content.

Reported-by: Alexey Melnichuk
Fixes #3231
Closes #3231
2018-11-07 08:28:48 +01:00
Daniel Stenberg
9df8dc101b
url: a short host name + port is not a scheme
The function identifying a leading "scheme" part of the URL considered a
few letters ending with a colon to be a scheme, making something like
"short:80" to become an unknown scheme instead of a short host name and
a port number.

Extended test 1560 to verify.

Also fixed test203 to use file_pwd to make it get the correct path on
windows. Removed test 2070 since it was a duplicate of 203.

Assisted-by: Marcel Raad
Reported-by: Hagai Auro
Fixes #3220
Fixes #3233
Closes #3223
Closes #3235
2018-11-06 19:11:58 +01:00
Sangamkar
74f4782319
libcurl: stop reading from paused transfers
In the transfer loop it would previously not acknwledge the pause bit
and continue until drained or loop ended.

Closes #3240
2018-11-06 19:07:17 +01:00
Jay Satiro
28429fb175 curl_multibyte: fix a malloc overcalculation
Prior to this change twice as many bytes as necessary were malloc'd when
converting wchar to UTF8. To allay confusion in the future I also
changed the variable name for the amount of bytes from len to bytes.

Closes https://github.com/curl/curl/pull/3209
2018-11-06 03:11:05 -05:00
Michael Kaufmann
53db15ba55 netrc: don't ignore the login name specified with "--user"
- for "--netrc", don't ignore the login/password specified with "--user",
  only ignore the login/password in the URL.
  This restores the netrc behaviour of curl 7.61.1 and earlier.
- fix the documentation of CURL_NETRC_REQUIRED
- improve the detection of login/password changes when reading .netrc
- don't read .netrc if both login and password are already set

Fixes #3213
Closes #3224
2018-11-05 20:34:01 +01:00
Daniel Stenberg
d9abebc7ee
Revert "url: a short host name + port is not a scheme"
This reverts commit 226cfa8264.

This commit caused test failures on appveyor/windows. Work on fixing them is
in #3235.
2018-11-05 09:24:59 +01:00
Daniel Gustafsson
c37b66aaae infof: clearly indicate truncation
The internal buffer in infof() is limited to 2048 bytes of payload plus
an additional byte for NULL termination. Servers with very long error
messages can however cause truncation of the string, which currently
isn't very clear, and leads to badly formatted output.

This appends a "...\n" (or just "..." in case the format didn't with a
newline char) marker to the end of the string to clearly show
that it has been truncated.

Also include a unittest covering infof() to try and catch any bugs
introduced in this quite important function.

Closes #3216
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-11-03 20:54:18 +01:00
Daniel Stenberg
226cfa8264
url: a short host name + port is not a scheme
The function identifying a leading "scheme" part of the URL considered a few
letters ending with a colon to be a scheme, making something like "short:80"
to become an unknown scheme instead of a short host name and a port number.

Extended test 1560 to verify.

Reported-by: Hagai Auro
Fixes #3220
Closes #3223
2018-11-03 15:01:27 +01:00
Daniel Stenberg
b28094833a
URL: fix IPv6 numeral address parser
Regression from 46e164069d. Extended test 1560 to verify.

Reported-by: tpaukrt on github
Fixes #3218
Closes #3219
2018-11-03 00:14:04 +01:00
Tim Rühsen
e4f2a5bc1b
mprintf: avoid unsigned integer overflow warning
The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
Closes #3184
2018-11-02 11:07:04 +01:00
Daniel Stenberg
2c5ec339ea
Curl_follow: accept non-supported schemes for "fake" redirects
When not actually following the redirect and the target URL is only
stored for later retrieval, curl always accepted "non-supported"
schemes. This was a regression from 46e164069d.

Reported-by: Brad King
Fixes #3210
Closes #3215
2018-11-02 09:50:44 +01:00
Daniel Stenberg
302d125b42
axtls: removed
As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.

Use a better supported TLS library!

Assisted-by: Daniel Gustafsson
Closes #3194
2018-11-01 10:29:53 +01:00
marcosdiazr
7f4c358541
schannel: make CURLOPT_CERTINFO support using Issuer chain
Closes #3197
2018-11-01 10:21:51 +01:00
Daniel Stenberg
832661b3a7
schannel: use Curl_ prefix for global private symbols
Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our namespace!

Closes #3201
2018-11-01 09:39:45 +01:00
Daniel Gustafsson
1460e89e01 vtls: add MesaLink to curl_sslbackend enum
MesaLink support was added in commit 57348eb97d but the
backend was never added to the curl_sslbackend enum in curl/curl.h.
This adds the new backend to the enum and updates the relevant docs.

Closes #3195
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-30 16:56:51 +01:00
Daniel Stenberg
f3a24d7916
Curl_auth_create_plain_message: fix too-large-input-check
CVE-2018-16839
Reported-by: Harry Sintonen
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
81d135d671
Curl_close: clear data->multi_easy on free to avoid use-after-free
Regression from b46cfbc068 (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)

Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
75b94d77e8
rand: add comment to skip a clang-tidy false positive 2018-10-27 15:59:44 +02:00
Daniel Stenberg
feea1259e4
x509asn1: always check return code from getASN1Element() 2018-10-27 15:59:43 +02:00
Daniel Stenberg
be20814191
Makefile: add 'tidy' target that runs clang-tidy
Available in the root, src and lib dirs.

Closes #3163
2018-10-27 15:59:38 +02:00
Patrick Monnerat
c335b7f1f7 x509asn1: suppress left shift on signed value
Use an unsigned variable: as the signed operation behavior is undefined,
this change silents clang-tidy about it.

Ref: https://github.com/curl/curl/pull/3163
Reported-By: Daniel Stenberg
2018-10-27 15:04:50 +02:00
Michael Kaufmann
3793761a37 multi: Fix error handling in the SENDPROTOCONNECT state
If Curl_protocol_connect() returns an error code,
handle the error instead of switching to the next state.

Closes #3170
2018-10-27 13:03:50 +02:00
Daniel Stenberg
44a9e9f80f
openssl: output the correct cipher list on TLS 1.3 error
When failing to set the 1.3 cipher suite, the wrong string pointer would
be used in the error message. Most often saying "(nil)".

Reported-by: Ricky-Tigg on github
Fixes #3178
Closes #3180
2018-10-27 10:46:38 +02:00
Daniel Gustafsson
5c8c310edb ssh: free the session on init failures
Ensure to clear the session object in case the libssh2 initialization
fails.

It could be argued that the libssh2 error function should be called to
get a proper error message in this case. But since the only error path
in libssh2_knownhost_init() is memory a allocation failure it's safest
to avoid since the libssh2 error handling allocates memory.

Closes #3179
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26 15:39:15 +02:00
Daniel Gustafsson
68348461dc
openssl: make 'done' a proper boolean
Closes #3176
2018-10-26 13:51:25 +02:00
Daniel Stenberg
ebfe02f73c
gtls: Values stored to but never read
Detected by clang-tidy

Closes #3176
2018-10-26 13:51:07 +02:00
Gisle Vanem
639d052e44
rtmp: fix for compiling with lwIP
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
  curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
    setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
    ^
  curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
  #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
                                 ^
Closes #3155
2018-10-26 00:04:02 +02:00
Michael Kaufmann
daabc91581 urldata: Fix comment in header
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25 13:04:03 +02:00
Michael Kaufmann
d48e6b7f95 netrc: free temporary strings if memory allocation fails
- Change the inout parameters after all needed memory has been
  allocated. Do not change them if something goes wrong.
- Free the allocated temporary strings if strdup() fails.

Closes #3122
2018-10-25 12:54:55 +02:00
Ruslan Baratov
4f2541f975
config: Remove unused SIZEOF_VOIDP
Closes #3162
2018-10-24 11:20:57 +02:00
Gisle Vanem
eda0998894
Fix for compiling with lwIP (3)
lwIP on Windows does not have a WSAIoctl() function. 
But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23 12:55:07 +02:00
Daniel Stenberg
6535b9303d
Curl_follow: return better errors on URL problems
... by making the converter function global and accessible.

Closes #3153
2018-10-23 11:43:41 +02:00
Daniel Stenberg
ca10fae6fc
Curl_follow: remove remaining free(newurl)
Follow-up to 05564e750e. This function no longer frees the passed-in
URL.

Reported-by: Michael Kaufmann
Bug: 05564e750e (commitcomm)
ent-30985666
2018-10-23 11:43:41 +02:00
Daniel Gustafsson
06d8f16b87 headers: end all headers with guard comment
Most headerfiles end with a /* <headerguard> */ comment, but it was
missing from some. The comment isn't the most important part of our
code documentation but consistency has an intrinsic value in itself.
This adds header guard comments to the files that were lacking it.

Closes #3158
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-23 10:02:24 +02:00
Daniel Stenberg
05564e750e
multi: avoid double-free
Curl_follow() no longer frees the string. Make sure it happens in the
caller function, like we normally handle allocations.

This bug was introduced with the use of the URL API internally, it has
never been in a release version

Reported-by: Dario Weißer
Closes #3149
2018-10-19 15:29:31 +02:00
Daniel Stenberg
8a49f91d32
multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
Otherwise, closing that handle can still cause surprises!

Reported-by: Martin Ankerl
Fixes #3138
Closes #3147
2018-10-19 11:03:17 +02:00
Marcel Raad
abebb2b893
config_win32: enable LDAPS
As done in the autotools and CMake builds by default.

Closes https://github.com/curl/curl/pull/3137
2018-10-19 09:23:14 +02:00
Daniel Stenberg
ad547fcf7b
travis: add build for "configure --disable-verbose"
Closes #3144
2018-10-18 14:51:49 +02:00
Matthew Whitehead
df54b14fb7 x509asn1: Fix SAN IP address verification
For IP addresses in the subject alternative name field, the length
of the IP address (and hence the number of bytes to perform a
memcmp on) is incorrectly calculated to be zero. The code previously
subtracted q from name.end. where in a successful case q = name.end
and therefore addrlen equalled 0. The change modifies the code to
subtract name.beg from name.end to calculate the length correctly.

The issue only affects libcurl with GSKit SSL, not other SSL backends.
The issue is not a security issue as IP verification would always fail.

Fixes #3102
Closes #3141
2018-10-16 03:52:47 -04:00
Marcel Raad
6c413648ec
nonblock: fix unused parameter warning
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
used.
2018-10-14 21:07:45 +02:00
Michael Kaufmann
6afe70a00b Curl_follow: Always free the passed new URL
Closes #3124
2018-10-13 13:18:51 +02:00
Daniel Gustafsson
12d833fa1e transfer: fix typo in comment 2018-10-10 23:50:13 +02:00
Viktor Szakats
e13f023777 ldap: show precise LDAP call in error message on Windows
Also add a unique but common text ('bind via') to make it
easy to grep this specific failure regardless of platform.

Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
Closes https://github.com/curl/curl/pull/3118
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-09 15:05:35 +00:00
Marcel Raad
673795f814
curl_setup: define NOGDI on Windows
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
on MinGW.

Closes https://github.com/curl/curl/pull/3113
2018-10-09 08:33:53 +02:00
Marcel Raad
940e1c1e74
Windows: fixes for MinGW targeting Windows Vista
Classic MinGW has neither InitializeCriticalSectionEx nor
GetTickCount64, independent of the target Windows version.

Closes https://github.com/curl/curl/pull/3113
2018-10-09 08:33:45 +02:00